Follow these steps:
- Download the required VMware Horizon STIG XML documents (see the download link in the References section).
- Download a STIG viewer from DoD Cyber Exchange STIG Viewing Tools and import the VMware Horizon STIG XML files into the viewer.
- Work through the following list individually and restart the affected VM after every step is completed to ensure the STIGs have been applied correctly. This is a manual process.
Program Files\VMware\VMware View\Server\sslgateway\conf
if this file does not already exist within the directory. This file is used throughout the document.Rule title | Vulnerability fix |
The Horizon Connection Server must limit the number of concurrent client sessions | On the Horizon Connection Server, navigate to Open the "locked.properties" file in a text editor and add or change the following line: maxConnections=2000 The default value of "2000" may be increased to no more than 4000 if required and properly documented. Otherwise, keep the default value of "2000". Save and close the file. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must be configured to only support TLS 1.2 connections | On the Horizon Connection Server, navigate to Open the "locked.properties" file in a text editor and remove any "secureProtocols.2" or "secureProtocols.3" settings. Add or change the following lines:
Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must be configured to use debug level logging | On the Horizon Connection Server, open the Start menu. Find and launch the "Set Horizon Connection Server Log Levels" shortcut. The precise location will vary depending on the Windows Server version and Start menu options. In the resulting command window, select option 2, "View Debug". Press any key to exit the command prompt window. |
Rule title | Vulnerability fix |
The Horizon Connection Server administrators must be limited in terms of quantity, scope, and permissions | Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Administrators. To remove users or groups: From the "Administrators and Groups" tab, select the unnecessary users or groups in the left pane and click the Remove User or Group button. Click OK to confirm removal. To modify assigned permissions: From the "Administrators and Groups" tab, select the appropriate user or group in the left pane. In the right pane, select the role to remove and click Remove Permission. Click OK to confirm removal. To create a new role with more limited permissions: From the "Role Permissions" tab, click Add Role, then provide a descriptive name and select the minimum required permissions. Click OK, then highlight the new role. Click Add Permission. then click Add and find the relevant user(s). Click OK and then Finish. |
Rule title | Vulnerability fix |
The Horizon Connection Server user interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system | Login to the Horizon Connection Server administrative interface as an administrator. Navigate to Settings >> Global Settings >> General Settings. Click the Edit button. Scroll down to the "Display a Pre-Login Message" checkbox. Ensure the box next to "Display a Pre-Login Message" is checked. In the "Display a Pre-Login Message" field, supply the Standard Mandatory DoD Notice and Consent Banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Click OK. |
Rule title | Vulnerability fix |
The Horizon Connection Server must be configured with an events database | Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Event Configuration. In the right pane, under "Event Database", click Edit and enter the necessary database information in the fields provided. Click OK. |
Rule title | Vulnerability fix |
The Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates. | On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to If the "CertificateRevocationCheckType" key exists: > Right click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). > Click "OK". If the "CertificateRevocationCheckType" key does not exist: > Right-click on the "Security" folder and select "New" then "DWORD (32 bit) Value". > Set the name to "CertificateRevocationCheckType" (without quotes). > Right-click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). > Click "OK". Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must only use FIPS 140-2 validated cryptographic modules. | FIPS mode can only be implemented during installation. Reinstall the Horizon Connection server and select the option to enable FIPS mode (after the IP configuration). Note: The Connection Server can only be installed in FIPS mode if Windows Server itself is running in FIPS mode. |
Rule title | Vulnerability fix |
The Horizon Connection Server must time out idle administrative sessions after 15 minutes or less. | Log in to the Horizon Connection Server administrative console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab and click "Edit". Set the "Horizon Console Session Timeout" value to "15" minutes (or less). Click "OK". |
Rule title | Vulnerability fix |
The Horizon Connection Server must protect log files from unauthorized access. | On the Horizon Connection Server, navigate to "<install_directory>\ProgramData\VMware\VDM". Right-click the "logs" folder and select "Properties". Change to the "Security" tab and click "Edit…". Highlight any groups or users that are not built-in system administrative accounts or the local "Administrators" group and click "Remove". Click "OK" and then "OK" again. |
Rule title | Vulnerability fix |
The Horizon Connection Server must offload events to a central log server in real time. | Log in to the Horizon Connection Server administrative console. From the left pane, navigate to Settings >> Event Configuration. In the right pane, under "Syslog", click "Add". Enter the address of your central log server and configure the port if necessary. Click "OK". Repeat for other servers as applicable. |
Rule title | Vulnerability fix |
The Horizon Connection Server must be configured with a DoD-issued TLS certificate. | Obtain a web server certificate from a DoD authority, specifying the common name as the Horizon Connection server FQDN, the signing algorithm as "SHA256", and the key strength of at least "1024 bits". Export the certificate and private key to a password-protected PFX bundle. On the Horizon Connection Server, open "certlm.msc" or "certmgr.msc" (Certificate Management - Local Computer). Rename the existing certificate, if there is one: > Select Personal >> Certificates, then in the right pane, locate the certificate with the "Friendly Name" of "vdm". > Right-click this certificate, select "Properties", and change the "Friendly name" to "vdm-original" or something similar. Click "OK". Import the new certificate: > Right click on the Personal >> Certificates folder. > Select All Tasks >> Import. > Click "Next", then "Browse...", navigate to the .pfx bundle and click "Open". > Click "Next", supply the password, select "Mark this key as exportable" and "Include all extended properties", then click "Next", "Next", then Finish". > Right-click on the newly imported certificate, select "Properties", then change the "Friendly name" to "vdm" (this name must match exactly in name and case). Click "OK". Restart the Connection Server or the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
All Horizon components must be running supported versions. | Install or upgrade each Horizon Connection Server to a VMware supported version. |
Rule title | Vulnerability fix |
The Horizon Connection Server must reauthenticate users after a network interruption. | Log in to the Horizon Connection Server administrative console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "Security Settings" tab. Click "Edit". Check the box next to "Reauthenticate Secure Tunnel Connections After Network Interruption". Click "OK". |
Rule title | Vulnerability fix |
The Blast Secure Gateway must be configured to only support TLS 1.2 connections. | On the Horizon Connection Server, navigate to Add or update the following lines:
Save and close the file. Restart the "VMware Horizon View Blast Secure Gateway" service for the changes to take effect. Note: If the Horizon Connection Server is set to "Do not use Blast Secure Gateway", this control does not apply. |
Rule title | Vulnerability fix |
The Horizon Connection Server must force server cipher preference. | On the Horizon Connection Server, navigate to "<install_directory>\Program Files\VMware\VMware View\Server\sslgateway\conf". Open the "locked.properties" file in a text editor and add or change the following line:
Save and close the file. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must validate client and administrator certificates. | On the Horizon Connection Server, navigate to "<install_directory>\Program Files\VMware\VMware View\Server\sslgateway\conf". Open the "locked.properties" file in a text editor and add or change the following line:
Add or configure the remaining items per the discussion, based on site architecture. Save and close the file. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must disconnect users after a maximum of ten hours. | Log in to the Horizon Connection Server administrative console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Next to "Forcibly Disconnect Users", select "After" from the dropdown and fill in "600" minutes in the text field. Click "OK". |
Rule title | Vulnerability fix |
The Horizon Connection Server must disconnect applications after two hours of idle time. | Log in to the Horizon Connection Server administrative console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Next to "Disconnect Applications and Discard SSO Credentials for Idle Users", select "After" from the dropdown and fill in "120" minutes in the text field. Click "OK". |
Rule title | Vulnerability fix |
The Horizon Connection Server must discard SSO credentials after 15 minutes. | Log in to the Horizon Connection Server administrative console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Next to "Discard SSO Credentials", select "After" from the dropdown and fill in "15" in the minutes text field. Click "OK". |
Rule title | Vulnerability fix |
The Horizon Connection Server must not accept pass-through client credentials. | Log in to the Horizon Connection Server administrative console. From the left pane, navigate to Settings >> Servers. Select the Connection Servers tab in the right pane. Click "Edit". Click the "Authentication" tab. Scroll down to the "Current User Authentication". Uncheck the checkbox next to "Accept logon as current user". Click "OK". Note: When "Smart card authentication for users" is set to "Required", this setting will be unchecked and greyed out automatically. |
Rule title | Vulnerability fix |
The Horizon Connection Server must require DoD PKI for client logins. | Option One - Use Horizon's native CAC authentication: > Log in to the Horizon Connection Server administrative console. > From the left pane, navigate to Settings >> Servers. > In the right pane, select the "Connection Servers" tab. > For each Connection Server listed, select the server and click "Edit". > Click the "Authentication" tab, then under "Horizon Authentication", in the dropdown below "Smart card authentication for users", select "Required". > Click "OK". Option Two - Delegate CAC authentication to an external IdP: > Log in to the Horizon Connection Server administrative console. > From the left pane, navigate to Settings >> Servers. > In the right pane, select the "Connection Servers" tab. > For each Connection Server listed, select the server and click "Edit". > Click the "Authentication" tab, then under "Horizon Authentication", in the dropdown next to "Smart card authentication for users", select "Optional" or "Not Allowed". > In the dropdown under "Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator)", select "Allowed" or "Required", depending on what you set the native capability to in the previous step. > Click "Manage SAML Authenticators". > Click "Add", then complete the necessary fields. > Ensure "Enabled for Connection Server" is checked, then click "OK" on each subsequent screen to save the settings. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must backup its configuration daily. | Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Backup" tab. Set "Automatic backup frequency" to "Every day" or select a more frequent option. Click "OK". |
Rule title | Vulnerability fix |
The Horizon Connection Server Instant Clone domain account must be configured with limited permissions. | Log in to Active Directory Users and Computers. Navigate to the specified Instant Clone container. Set the permissions for the Instant Clone Domain Account to:
Ensure the permissions apply to the correct container and to all child objects of the container. |
Rule title | Vulnerability fix |
The Horizon Connection Server must disable client initiated TLS renegotiation. | On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TunnelService\Params". Locate the "JvmOptions" key. If "JvmOptions" exists, right-click it and select "Modify...", and ensure the following option exists:
Click "OK". |
Rule title | Vulnerability fix |
The Horizon Connection Server must have X-Frame-Options enabled. | On the Horizon Connection Server, navigate to "<install_directory>\Program Files\VMware\VMware View\Server\sslgateway\conf". Open the "locked.properties" file in a text editor and remove the following line:
Save and close the file. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must have Origin Checking enabled. | On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open the "locked.properties" file in a text editor and remove the following line:
To allowlist a load balancer in front of the Connection Server, add the following line:
To allowlist Unified Access Gateway (UAG) gateways, add every address using the following format and pattern:
Save and close the file. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must enable the Content Security Policy. | On the Horizon Connection Server, navigate to "<install_directory>\Program Files\VMware\VMware View\Server\sslgateway\conf". Open the "locked.properties" file in a text editor and remove the following line:
Save and close the file. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must enable the proper Content Security Policy directives. | On the Horizon Connection Server, navigate to "<install_directory>\Program Files\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, you need to create it in a text editor. Once you have created the file open it and find and remove the following settings, if present:
Save and close the file. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate. | On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway". Option One - Use the same certificate as the Connection Server: > Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". > Set its value to "vdm". Option Two - Use a different certificate for the PCoIP Secure Gateway: > Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". > Set its value ("pcoip", for example). > Obtain a web server certificate from a DoD CA, specifying the common name as the Horizon Connection server FQDN, the signing algorithm as "SHA256" and the key strength of at least "1024 bits". > Export the certificate and private key to a password-protected PFX bundle. > Right-click on the Personal >> Certificates folder. > Select All Tasks >> Import. > Click "Next", then "Browse...", then navigate to the .pfx bundle and click "Open". > Click "Next", supply the password, select "Mark this key as exportable" and "Include all extended properties", then click "Next", "Next" and "Finish". > Right-click the newly imported certificate and select "Properties". > Change the "Friendly name" to what was set earlier ("pcoip", for example). This name must be exact in name and case, as set above. Click "OK". Restart the "VMware Horizon View PCoIP Secure Gateway" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must not allow unauthenticated access. | Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. In the drop-down below Horizon Authentication >> Unauthenticated Access, select "Disabled" and click "OK". Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |
Rule title | Vulnerability fix |
The Horizon Connection Server must require CAC reauthentication after user idle timeouts. | Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab and click "Edit". Select the checkbox next to "Enable 2-Factor Reauthentication" and click "OK". |
Rule title | Vulnerability fix |
The Horizon Connection Server must be configured to restrict USB passthrough access. | Option One - Disable USB Access Globally: > Log in to the Horizon Connection Server Console. > From the left pane, navigate to Settings >> Global Policies. > In the right pane, click "Edit Policies". > In the drop-down next to "USB Access", select "Deny". > Click "OK". Option Two - Confirm per-pool settings: > Log in to the Horizon Connection Server Console. > From the left pane, navigate to Inventory >> Desktops. > In the right pane, click the name of each pool that does not explicitly require access to USB devices. > In the next screen, click the "Policies" tab and click "Edit Policies". > In the dropdown next to "USB Access", select "Inherit" and click "OK". > Click the "Policy Overrides" tab. > "Edit" or "Remove" as necessary to ensure that the number of configured users with "USB Access" set to "Allow" is as limited as possible. |
Rule title | Vulnerability fix |
The Horizon Connection Server must prevent MIME type sniffing. | On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open the "locked.properties" file in a text editor and remove the following line:
Save and close the file. Restart the "VMware Horizon View Connection Server" service for the changes to take effect. |